CVE-2023-46747
CVE-2023-46747 is a critical-severity vulnerability in F5 Big-ip Access Policy Manager with a CVSS 3.x base score of 9.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2023-10-31). The underlying weakness is classified as CWE-306.
Key facts
- Severity: Critical (CVSS 3.x base score 9.8)
- EPSS exploit prediction: 97% (100th percentile)
- Actively exploited: Yes — listed in CISA KEV (added 2023-10-31)
- EU (EUVD) id: EUVD-2023-50916
- EU exploitation: Flagged exploited in the ENISA EU Vulnerability Database (since 2023-10-31)
- Weakness: CWE-306
- Affected product: F5 Big-ip Access Policy Manager
- Published:
- Last modified:
Description
Undisclosed requests may bypass configuration utility authentication, allowing an attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated
CVE-2023-46747: F5 BIG-IP TMUI Authentication Bypass Leading to Remote Command Execution
AI-generated analysis based on the vulnerability data on this page.
| CVE | CVE-2023-46747 |
| Severity | CVSS 3.1 9.8 (Critical) |
| CWE | CWE-306 (Missing Authentication for Critical Function) |
| EPSS | 0.96515 (99.87th percentile) |
| KEV | Listed 2023-10-31 |
| Ransomware | Confirmed |
| Published | 2023-10-26 |
Summary
F5 BIG-IP systems are affected by a critical authentication bypass vulnerability in the configuration utility (TMUI). An attacker with network access to the BIG-IP management port or self IP addresses can send undisclosed requests that bypass authentication, resulting in arbitrary system command execution.
Background
F5 BIG-IP is a widely deployed family of application delivery controllers and security modules. The configuration utility—also known as the Traffic Management User Interface (TMUI)—provides a web-based management interface for device configuration, monitoring, and troubleshooting. Because TMUI is often exposed to internal networks or the internet for remote management, it represents a high-value attack surface.
Root Cause
The root cause is classified as CWE-306: Missing Authentication for Critical Function. The affected configuration utility fails to enforce authentication on certain undisclosed requests, allowing an unauthenticated attacker to reach administrative functionality and execute arbitrary system commands. Public exploit material referenced by the Packetstorm advisory (see References) ties this issue to AJP request smuggling.
Impact
The CVSS 3.1 vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, yielding a base score of 9.8 (Critical).
- Confidentiality: High — an attacker can read sensitive configuration files, certificates, and session data.
- Integrity: High — an attacker can modify system configurations, install backdoors, or alter traffic policies.
- Availability: High — an attacker can crash services, delete resources, or disrupt traffic delivery.
Because the attack requires no privileges and no user interaction, it is trivially exploitable over the network. The high EPSS score (0.96515) and inclusion in CISA's Known Exploited Vulnerabilities catalog confirm that this vulnerability is actively exploited in the wild, including by ransomware operators.
Exploitation Walkthrough
Ethics caveat: This section is provided for defensive and detection purposes only. The objective is to help defenders understand how the attack is structured so they can build effective controls. Do not attempt to use this information against systems you do not own or have explicit authorization to test.
At a high level, exploitation proceeds as follows:
- Reconnaissance: The attacker identifies a BIG-IP system exposing TMUI on the management port or a self IP address.
- AJP Smuggling: The attacker sends a malformed request that is reinterpreted as an AJP request by the backend. The Packetstorm reference material indicates this is related to AJP request smuggling.
- Authentication Bypass: The smuggled request carries attributes that cause the backend to treat the request as internally authenticated, bypassing the normal login requirement.
- Command Execution: With administrative access, the attacker can reach utility endpoints to execute arbitrary system commands with elevated privileges.
- Post-Exploitation: The attacker may extract credentials, modify virtual server configurations, pivot to internal networks, or deploy persistence mechanisms.
Affected and Patched Versions
The following F5 BIG-IP modules and products are listed as vulnerable in the source data:
- BIG-IP Access Policy Manager
- BIG-IP Advanced Firewall Manager
- BIG-IP Advanced Web Application Firewall
- BIG-IP Carrier-Grade NAT
- BIG-IP DDoS Hybrid Defender
- BIG-IP SSL Orchestrator
- BIG-IP Domain Name System
- BIG-IP Local Traffic Manager
- BIG-IP Policy Enforcement Manager
- BIG-IP Automation Toolchain
- BIG-IP Container Ingress Services
- BIG-IP Application Security Manager
- BIG-IP Analytics
- BIG-IP Application Acceleration Manager
- BIG-IP Application Visibility and Reporting
- BIG-IP Fraud Protection Services
- BIG-IP Global Traffic Manager
- BIG-IP Link Controller
- BIG-IP WebAccelerator
- BIG-IP WebSafe
Specific patched version ranges were not provided in the source data. Administrators should consult F5's official advisory (K000137353) to determine whether their installed versions are affected and to obtain the latest hotfixes.
Remediation
- Upgrade: Apply the latest patched version or hotfix from F5 as documented in the official advisory.
- Restrict Access: Block network access to the BIG-IP management interface and self IP addresses from untrusted networks. Use a dedicated, jump-host-only management network.
- Disable Management on Self IPs: If management access via self IP addresses is not required, disable it to reduce the attack surface.
- Compensating Controls: Deploy an upstream web application firewall (WAF) with strict request normalization rules to detect anomalous request patterns.
- Monitoring: Ensure the BIG-IP system is monitored for unauthorized access to administrative functionality and REST endpoints.
Detection
- Network: Monitor for anomalous traffic to the management interface, including requests that may contain AJP-like markers or unexpected protocol transitions.
- Logs: Review TMUI and REST API access logs for unauthenticated requests to administrative endpoints from unexpected source IPs.
- Endpoint: Look for unauthorized bash or tmsh process execution, especially from the web server context. Check for unusual file writes in temporary directories.
- Integrity: Monitor system configuration files and virtual server policies for unauthorized changes after the publication date (2023-10-26).
Assessment
- Exploitation likelihood: Extremely high. With an EPSS of 0.96515 and active KEV listing since 2023-10-31, this vulnerability is being actively exploited by threat actors, including ransomware groups.
- Business impact: Severe. BIG-IP devices often sit at the network edge; compromise can lead to full network infiltration, data breach, or service outage.
- Lessons:
- Segment management interfaces: Management interfaces should never be reachable from general-purpose networks. A management VLAN or out-of-band network would have dramatically reduced exposure to this flaw.
- Protocol hygiene: The presence of dual-protocol handling on the same path is a known anti-pattern. Teams should audit their application stacks for multiple protocol listeners and remove or strictly isolate them.
References
- http://packetstormsecurity.com/files/175673/F5-BIG-IP-TMUI-AJP-Smuggling-Remote-Command-Execution.html
- https://my.f5.com/manage/s/article/K000137353
- https://www.secpod.com/blog/f5-issues-warning-big-ip-vulnerability-used-in-active-exploit-chain/
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-46747
Frequently asked questions
- What is CVE-2023-46747?
- Undisclosed requests may bypass configuration utility authentication, allowing an attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated
- How severe is CVE-2023-46747?
- CVE-2023-46747 has a CVSS 3.x base score of 9.8, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2023-46747 being actively exploited?
- Yes. CVE-2023-46747 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2023-10-31, which means active exploitation has been confirmed. It should be prioritised for remediation.
- What products are affected by CVE-2023-46747?
- CVE-2023-46747 primarily affects F5 Big-ip Access Policy Manager. In total, 20 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2023-46747?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
- Does CVE-2023-46747 have an EU (EUVD) identifier?
- Yes. CVE-2023-46747 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2023-50916. It is also flagged as exploited in the EUVD (since 2023-10-31).
- When was CVE-2023-46747 published?
- CVE-2023-46747 was published on 2023-10-26 and last updated on 2026-06-17.
References
- http://packetstormsecurity.com/files/175673/F5-BIG-IP-TMUI-AJP-Smuggling-Remote-Command-Execution.html
- https://my.f5.com/manage/s/article/K000137353
- https://www.secpod.com/blog/f5-issues-warning-big-ip-vulnerability-used-in-active-exploit-chain/
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-46747
Affected products (20)
- cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_advanced_web_application_firewall:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_carrier-grade_nat:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_ddos_hybrid_defender:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_ssl_orchestrator:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_domain_name_system:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_local_traffic_manager:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_policy_enforcement_manager:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_automation_toolchain:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_container_ingress_services:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_application_security_manager:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_analytics:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_application_acceleration_manager:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_application_visibility_and_reporting:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_fraud_protection_services:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_global_traffic_manager:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_link_controller:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_webaccelerator:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_websafe:*:*:*:*:*:*:*:*
More vulnerabilities in F5 Big-ip Access Policy Manager
- CVE-2023-41373 — Critical (CVSS 9.9): A directory traversal vulnerability exists in the BIG-IP Configuration Utility that may allow an authenticated attacker…
- CVE-2021-22987 — Critical (CVSS 9.9): On BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, 12.1.x…
- CVE-2025-53521 — Critical (CVSS 9.8): When a BIG-IP APM access policy is configured on a virtual server, specific malicious traffic can lead to Remote Code…
- CVE-2022-1388 — Critical (CVSS 9.8): On F5 BIG-IP 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6,…
- CVE-2021-23008 — Critical (CVSS 9.8): On version 15.1.x before 15.1.3, 14.1.x before 14.1.4, 13.1.x before 13.1.4, 12.1.x before 12.1.6, and all versions of…
- CVE-2021-22991 — Critical (CVSS 9.8): On BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, and…
All CVEs affecting F5 Big-ip Access Policy Manager →
Other CWE-306 (Missing Authentication for Critical Function) vulnerabilities
- CVE-2026-54309 — Critical (CVSS 10.0): n8n is an open source workflow automation platform. Prior to 2.25.7 and 2.26.2, when @n8n/mcp-browser is run in HTTP…
- CVE-2026-50242 — Critical (CVSS 10.0): In JetBrains Hub before 2026.1.13757, 2025.3.148033, 2025.2.148048, 2025.1.148120, 2024.3.148430, 2024.2.148429…
- CVE-2026-49257 — Critical (CVSS 10.0): mcp-pinot is a Python-based Model Context Protocol (MCP) server for interacting with Apache Pinot. In versions 3.0.1…
- CVE-2026-46846 — Critical (CVSS 10.0): Vulnerability in the Oracle WebCenter Portal product of Oracle Fusion Middleware (component: Security Framework).…
- CVE-2026-46803 — Critical (CVSS 10.0): Vulnerability in the Oracle WebCenter Portal product of Oracle Fusion Middleware (component: Security Framework).…
- CVE-2026-46800 — Critical (CVSS 10.0): Vulnerability in the Oracle WebCenter Sites product of Oracle Fusion Middleware (component: WebCenter Sites).…
Browse all CWE-306 (Missing Authentication for Critical Function) vulnerabilities →